Ransomware & Cyber Security
One of the most important steps Oxygen has taken in the last couple years has been the development of our Cybersecurity practice. While we have not fully launched the program, we have been releasing little nuggets over the past few months. We have talked about our strategy as it relates to Cisco’s different platforms, our partnership with Kaspersky, and the work we do around End-User training.
In the past four weeks we have recruited a Cybersecurity Subject Matter Expert (SME) and formalized our Cybersecurity practice that is developed through our Cybersecurity Team, in partnership with our vendors.
As we prepare to formally announce the capabilities of our Cybersecurity practice, we thought it would be insightful if we shared an activity the members of our Cybersecurity Team performed as they researched ransomware, specifically the nuts and bolts of how it gets released into a network, and some basic steps to mitigate risks.
The one thing we want to stress, is that this research was carried out in an Oxygen sandbox, by Oxygen resources. So yes, research like this can, and does, occur in the Canadian Prairies. If you’re wondering what exactly the term “sandbox” means, it refers to an environment that is self-contained where one can perform different activities without actually effecting an operational environment – truly a place to ‘play’.
So, what do a couple of individuals with a nose for Cybersecurity do? Well, they spin up a sandbox and start trying to ransomware themselves. Our Team did get some interesting takeaways of the “How” of ransomware. They have included some of their thoughts in point form below:
- File Executes
- Program uses “VSSAdmin” commands as well as “WMIC” commands to attempt to delete shadow copies, if they exist.
- Program uses Registry editing commands to establish persistence.
- Program begins to encrypt the files on the disk.
A very interesting discovery made when testing the variant of ransomware we did was that files do not appear to be encrypted directly; it seems a copy of the files are created, and encrypted, then the original files are removed.
- This test used WannaCry ransomware variant, and only ran on a single system.
- Based on the above “order of operations” that the Ransomware system is using, if executed in a vacuum, the ability for it to attack Shadow Copies and establish persistence is hampered by revoking administrative privileges from the user account of the user account that is “detonating” the ransomware. This is an important takeaway…more to follow on that below.
- Another key takeaway is that the users accessing a company’s data should have minimal “rights” to their local workstation. As well, the hardening of any administrative accounts on the network should be carried out. Finally, we recommend that Business Decision Makers start to research solutions that allow for the implementation of “Zero-Trust” Networks. Below are some links that our Vendors have suggested as great follow-up reading:
- From Kaspersky – https://www.kaspersky.com/blog/zero-trust-security/36423/
- From Cisco – https://www.cisco.com/c/en/us/products/security/zero-trust.html
If you do not feel like clicking on those links, then here is quick overview from the Oxygen Team: “Zero Trust Networks” is “policy of least privileges”.
The idea is:
A Zero Trust Network is a Network where no system or user is trusted by default. The trust on the network cannot be “cached” to remember that the user or system is “trusted.” The idea is if a user is in the office, plugging a computer in, it doesn’t mean that said computer or user gets to automatically connect to the internal network (this is how it has always been done) – a network with a Zero Trust policy will have some sort of check to authenticate the computer and user.
Once a device is connected to a Network, the Policy of least privileges dictates that the user should only have access to what is required by that user.
For example, if the user in question is in the Sales department, the user should be able to access Sales resources, but not the accounting software. If the user were to move to an Accounting role, they would gain access to the software, and the policy of least privilege would dictate that my access to Sales resources be revoked.
Call to Action:
Do not get overwhelmed with all the data you can gather about various modern-day threats. Engage your IT Team, or the Team at Oxygen, and we will talk about how we can help you mitigate against cyber threats.